S3 spillage spoils included driving licences and passports

Personal data collected by the operator leaked into an Amazon Web Services S3 cloud storage bucket. The leaked data, which includes images of identity documents was accessible to world+dog before the mobile operator finally acted to restrict access to the confidential files yesterday, 12 April.

The issue was uncovered by security researcher Niall Merrigan, who told us he had tried to disclose the problem to TrueMove H, but said the mobile operator had been slow to respond.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

The researcher told El Reg that he’d uncovered around 46K records that collectively weighed in at around 32GB. Merrigan attempted to raise the issue with TrueMove H, but initially made little headway beyond an acknowledgement of his communication.

Representatives of the telco initially told him to ring its head office when he asked for the contact details of a security response staffer before telling him his concerns had been passed on some two weeks later, after El Reg began asking questions on the back of Merrigan’s findings.

In the meantime, other security researchers have validated his concerns.

“There were lots of driving licences and I think I saw a passport,” said security researcher Scott Helme. “I guess they have to send ID for something and the company is storing the photos in this bucket, which can be viewed by the public.”

El Reg approached TrueMove H about the incident. The mobile operator responded last month with a holding statement stating that it was investigating the matter and we hung fire on opublication until the data was no longer public facing.

Please kindly be informed that this matter has been informed to a related team for investigation. If they have any queries or require any further information from you, they will contact [you] later.

Merrigan said the exposed data was still available up until yesterday, when it was finally made private, allowing the security researcher to go public with his findings. A blog post by Merrigan that explains the breach - and featuring redacted screenshots of the leaked identity documents - can be found here. ®